Mac OS X,  Mass Deployment

Verifying & Repairing Permissions

Disk Utility has a nifty little button to Verify Disk Permissions and another to Repair Disk Permissions. Many use this frequently over the course of basic Mac OS X troubleshooting.

The underlying functionality is also exposed at the command line. Diskutil (located in /usr/sbin) has the verifyPermissions and repairPermissions, which roughly correspond to the buttons in Disk Utility. Because these can be run against different disks, each will need the volume indicated following the verb. For example, to run a Verify Disk Permissions against a volume called Seldon, you would use the following command:

diskutil verifyPermissions /Volumes/Seldon

To then run a Repair Disk Permissions on that same volume, you would use:

diskutil repairPermissions /Volumes/Seldon

In most cases, repairPermissions is done to the currently booted volume. To find this volume, you can use the bless command along with the –getBoot option. For example:

bless –getBoot

Bless will then respond with the device that comprises your boot volume. To convert this into a path that can be used with diskutil, you would use the diskutil command followed by info followed by the output of the bless command. For example, if the device were /dev/disk0s2 then you would run the following:

diskutil info /dev/disk0s2

You could then script a repair permission of the boot volume using the following, which would also dump the output into a log file:

declare tmp=/disk

declare boot=/disk

bless –getBoot > $tmp

mkdir /var/log/318

diskutil info $tmp | grep “Media Name:” | cut -c 30-100 > $boot

/usr/sbin/diskutil repairPermissions $boot >> /var/log/318/fixperm.log

echo “Repair Permisssions completed at `date` >> /var/log/318/fixperm.log

Placing this script into a package would then allow for sending a Repair Disk Permissions command to client computers though, let’s say, ARD or even allow a user to run it themselves using the JAMF self-service client. All without having to leave ones chair or provide an administrative password to a user (having said this the script will require local administrative privileges).